shearwater.com.au Consulting | Penetration Testing | Security Operations | Compliance | Security Education

Consumer Guide | Shearwater Ethical Hacking

shearwater.com.au

As an organisation that handles sensitive information, penetration testing is key to ensuring you have a secure environment, preventing your information from falling into the wrong hands.

But the penetration testing industry can be a complex and unknown art as there are many organisations out there that call themselves "professional" without any basis to that claim. Yet these are the people you rely on to interrogate your business systems, and use very complex tools to bombard your network. If they lack the right knowledge and experience on how to use the tools properly, you are likely to waste a significant sum of money. Even worse, they can damage, change, or takedown critical components if their tools are not configured specifically for your environment. Unfortunately, a quick Google search can't tell you who the great and equitable penetration testers are versus the ones you would never, ever want to use.

So, how do you identify and select a reliable partner for penetration testing? This guide outlines the 10 most important traits you should seek from a penetration tester to ensure that the identified risk to your organisation is accurate and meaningful, allowing you to be proactive in reducing the risks of cyber-attack.

10 traits of a reliable penetration testing partner

1 Conducts a penetration test

2 Price is a factor

Unfortunately, some of the lower-priced and lower-skilled organisations sell you penetration testing, but in reality only conduct a vulnerability assessment. And, when compared to a proper penetration test, the results to your company will be substandard. To truly understand the risks your organisation faces, the penetration testers must actively try and exploit identified vulnerabilities, and flaws in your business logic, and not just use an automated vulnerability scanner.

When it comes to penetration testing, you get what you pay for. We don’t necessarily recommend you select the most expensive penetration testing company out there, but you should be careful and ensure the company is dedicated to spending time to learn and understand your environment, and your needs. This will help you get the best possible value for the amount you pay.

3 Dedicated penetration testersThere are many companies for whom penetration testing is not a core offering, but just a value-added service. However, being at the forefront of the security industry is paramount in penetration testing, and maintaining this position requires a daily dose of penetration testing and security research. It could easily be argued that a penetration tester without this exposure, and dedication, may not be aware of many attack vectors that the cyber criminals are currently deploying.

Did you know?

There is a distinct difference between a penetration test and vulnerability assessment.

A penetration test is a method of evaluating the security of a computer system or network by simulating an attack by a malicious hacker.

A vulnerability assessment, on the other hand, solely identifies publicly disclosed vulnerabilities in a system.

Consulting | Penetration Testing | Security Operations | Compliance | Security Education

The challenge of finding the right penetration tester

About The Reach Agency

shearwater.com.au Consulting | Penetration Testing | Security Operations | Compliance | Security Education

Why Shearwater?

Customer Case Study | Shearwater Ethical Hacking

1 Security Specialisation & FocusInformation Security is the sole focus of what we do. We are passionate about organisations leveraging security for success, and focus on delivering value.

3 Customer CentricityWe seek long-term partnerships, and offer no lock-in contracts because we are confident about the value we deliver. We value customer service, fast response, on-time delivery, constant improvement, and client communication.

5 ReputationOur work in the field of information security is recognised locally and internationally with the SANS institute selecting us as their exclusive partner in Australia and New Zealand.

4 Continuous Knowledge ExchangeWe are committed to life long learning, and value the exchange of knowledge; internally and with our clients.

Shearwater’s knowledge exchange is manifest in our comprehensive engagement reporting. We offer businesses Executive Level Reports, which highlight the risks associated with their information security. We also offer actionable recommendations for the internal security team.

2 Unbiased AdviceWe partner with clients not vendors. We have two main points that differentiate our approach:

We offer strategic solutions that align with organisations’ strategic goals.

We seek, test, and validate new technologies from different vendors. We have been early adopters of technologies, many of which are now staples in the information security toolkit.

Get in touch1300 228 872shearwater.com.au

Our post engagement follow-up is an additional benefit that allows clients to engage us with questions, or seek guidance on issues referred to in our penetration testing report.

Shearwater Ethical Hacking offers in-depth executive level reporting which serves as a risk minimisation tool for management, and a technical document – listing vulnerabilities prioritised according to risk level – for the internal security team. The report also provides private enterprise and government with access to mitigation strategies based on Shearwater’s key insights into the cyber-threat landscape.

The Open Web Application Security Project (OWASP)The National Institute of Standards and Technology (NIST)Open Source Security Testing Methodology Manual (OSSTMM)Penetration Testing and Execution Standard (PTES)Penetration Testing FrameworkAustralian Government Security Policies and Guidelines

Penetration Testing Standards we follow:

Our Certifications

Transparent Approach A valuable attribute to our clients is the level of interaction and communication we provide during engagement. We provide information in advance about our testing steps and are also readily available to answer any questions or concerns.

Comprehensive We manually validate automated findings and eliminate false positives. We also look for vulnerabilities that automated tools are unable to find, such as business logic flaws.

Responsive We listen to our clients to understand their goals. Our team also alerts security staff – in real time – to critical vulnerabilities and threats discovered.

Professional Our testing is non-disruptive and the risk of a system downtime is minimal.

Whatever your Information Security challenge, we’re here to help you find the right solution.